When actions speak louder than words: Using changes in operator behavior and system efficiency measures to detect the presence of a cyber attack:

Increases in cyber incidents have required substantial investments in cyber defense for national security. However, adversaries have begun moving away from traditional cyber tactics in order to escape detection by network defenders. The aim of some of these new types of attacks is not to steal information, but rather to create subtle inefficiencies that, when aggregated across a whole system, result in decreased system effectiveness. The aim of such attacks is to evade detection for long durations, allowing them to cause as much harm as possible. As a result, such attacks are sometimes referred to as “low and slow” (e.g., Mancuso et al., 2013).It is unknown how effective operators are likely to be at detecting and correctly diagnosing the symptoms of low and slow cyber attacks. Recent research by Hirshfield and colleagues (2015) suggests that the symptoms of the attack may need to be extreme in order to gain operator recognition. This calls into question the utility of relying on operators for detection a...